Process-Oriented Modeling and Flow to Restrict Access to Objects

1. A method comprising: replicating data from a first database system to a second database system, wherein the first database system includes a first authorization concept relating to keys and key-related authorization values different from a second authorization concept related to groups of users of the second database system to restrict access to data in the respective first database system and the second database system; determining a modeling of a first access context for a first table in the replicated data based on the first authorization concept, the modeling based on a key to a second table of the first database system and a key-related authorization value in a field in the second table of the first database system; generating an access control list (ACL) rule based on the first access context to restrict access to the replicated data in the second database system to users associated with the first access context, the first access context associated with a hierarchy of groups in an entity and the ACL rule adhering to the second authorization concept while being equivalent to the first authorization concept; receiving a request to access the replicated data from a user; determining a second access context for the user, the second access context associated with a role of the user in the entity; comparing the first access context for the ACL rule and the second access context for the user to determine whether the user is allowed to access the replicated data; and allowing access to the replicated data when the second access context and the first access context indicate the user is allowed to access the replicated data.

2. The method of claim 1 , further comprising not allowing access when the second access context and the first access context indicate the user is not allowed to access the replicated data.

3. The method of claim 2 , wherein the user is not allowed to access the replicated data when the user is not associated with a role that is included in a group associated with the first access context.

4. The method of claim 1 , wherein the user is allowed access to the replicated data when the first access context matches the second access context.

5. The method of claim 1 , wherein the first access context describes an organization in the entity.

6. The method of claim 5 , wherein the first access context includes an access group describing a group of users in the organization.

7. The method of claim 6 , wherein the ACL rule specifies the first access context and the access group for the replicated data.

8. The method of claim 1 , wherein replicating the data from the first database to the second database comprises storing data from the second table in the first database to the first table in the second database, wherein the first table in the second database is associated with the ACL rule.

9. The method of claim 1 , wherein modeling comprises joining the first table in the replicated data with an ACL table including ACL information for the first access context.

10. A non-transitory computer-readable storage medium containing instructions, that when executed, control a computer system to be configured for: replicating data from a first database system to a second database system, wherein the first database system includes a first authorization concept relating to keys and key-related authorization values different from a second authorization concept related to groups of users of the second database system to restrict access to data in the respective first database system and the second database system; determining a modeling of a first access context for a first table in the replicated data based on the first authorization concept, the modeling based on a key to a second table of the first database system and a key-related authorization value in a field in the second table of the first database system; generating an ACL rule based on the first access context to restrict access to the replicated data in the second database system to users associated with the first access context, the first access context associated with a hierarchy of groups in an entity and the ACL rule adhering to the second authorization concept while being equivalent to the first authorization concept; receiving a request to access the replicated data from a user; determining a second access context for the user, the second access context associated with a role of the user in the entity; comparing the first access context for the ACL rule and the second access context for the user to determine whether the user is allowed to access the replicated data; and allowing access to the replicated data when the second access context and the first access context indicate the user is allowed to access the replicated data.

11. The non-transitory computer-readable storage medium of claim 10 , further comprising not allowing access when the second access context and the first access context indicate the user is not allowed to access the replicated data.

12. The non-transitory computer-readable storage medium of claim 11 , wherein the user is not allowed to access the replicated data when the user is not associated with a role that is included in a group associated with the first access context.

13. The non-transitory computer-readable storage medium of claim 10 , wherein the user is allowed access to the replicated data when the first access context matches the second access context.

14. The non-transitory computer-readable storage medium of claim 10 , wherein the first access context describes an organization in the entity.

15. The non-transitory computer-readable storage medium of claim 14 , wherein the first access context includes an access group describing a group of users in the organization.

16. The non-transitory computer-readable storage medium of claim 15 , wherein the ACL rule specifies the first access context and the access group for the replicated data.

17. The non-transitory computer-readable storage medium of claim 10 , wherein replicating the data from the first database to the second database comprises storing data from the second table in the first database to the first table in the second database, wherein the first table in the second database is associated with the ACL rule.

18. The method of claim 1 , wherein modeling comprises joining the first table in the replicated data with an ACL table including ACL information for the first access context.

19. An apparatus comprising: one or more computer processors; and a non-transitory computer-readable storage medium comprising instructions, that when executed, control the one or more computer processors to be configured for: replicating data from a first database system to a second database system, wherein the first database system includes a first authorization concept relating to keys and key-related authorization values different from a second authorization concept related to groups of users of the second database system to restrict access to data in the respective first database system and the second database system; determining a modeling of a first access context for a first table in the replicated data based on the first authorization concept, the modeling based on a key to a second table of the first database system and a key-related authorization value in a field in the second table of the first database system; generating an ACL rule based on the first access context to restrict access to the replicated data in the second database system to users associated with the first access context, the first access context associated with a hierarchy of groups in an entity and the ACL rule adhering to the second authorization concept while being equivalent to the first authorization concept; receiving a request to access the replicated data from a user; determining a second access context for the user, the second access context associated with a role of the user in the entity; comparing the first access context for the ACL rule and the second access context for the user to determine whether the user is allowed to access the replicated data; and allowing access to the replicated data when the second access context and the first access context indicate the user is allowed to access the replicated data.

20. The apparatus of claim 19 , further comprising not allowing access when the second access context and the first access context indicate the user is not allowed to access the replicated data.